Turns out, UPnP is terrible when it comes to security. The entire protocol exists to have devices easily find and connect to one another without any authentication at all. This is all good fun to poke around with. Here are a few tools and notes I've found along the way.
UPnP devices can be found by listening to UDP packets on port 1900. To actively discover these services on your network, send an HTTP M-SEARCH
request to the default UDP mulicast address: 239.255.255.250
.
There are some great Linux tools that make interfacing with all of these stuff a synch:
sudo apt update